U.S. patent application number 12/329375 was filed with the patent office on 2009-11-12 for communication apparatus, server, and computer program product therefor.
This patent application is currently assigned to Kabushiki Kaisha Toshiba. Invention is credited to Satoshi Ito, Toru Kambayashi, Taku Kato, Ryuiti Koike, Hideki Matsumoto, Tatsuyuki Matsushita, Hideaki SATO, Haruhiko Toyama, Kentaro Umesawa.
Application Number | 20090282250 12/329375 |
Document ID | / |
Family ID | 41267844 |
Filed Date | 2009-11-12 |
United States Patent
Application |
20090282250 |
Kind Code |
A1 |
SATO; Hideaki ; et
al. |
November 12, 2009 |
COMMUNICATION APPARATUS, SERVER, AND COMPUTER PROGRAM PRODUCT
THEREFOR
Abstract
A communication apparatus receives, from another communication
apparatus, a plurality of encrypted pieces obtained by encrypting a
plurality of pieces constituting a part of a content and obtains a
part or all of decryption keys used for decrypting the encrypted
pieces. The communication apparatus also obtains an invalid piece
list showing one or more identifiers of one or more encrypted
pieces that can respectively be decrypted by using one or more
decryption keys that have already been invalidated. In the case
where at least one of the encrypted pieces is listed in the invalid
piece list, the communication apparatus deletes the at least one of
the encrypted pieces, based on an obtainment status of the
encrypted pieces or an obtainment status of the decryption
keys.
Inventors: |
SATO; Hideaki; (Kanagawa,
JP) ; Matsushita; Tatsuyuki; (Tokyo, JP) ;
Umesawa; Kentaro; (Kanagawa, JP) ; Matsumoto;
Hideki; (Kanagawa, JP) ; Koike; Ryuiti;
(Tokyo, JP) ; Kato; Taku; (Kanagawa, JP) ;
Toyama; Haruhiko; (Kanagawa, JP) ; Ito; Satoshi;
(Tokyo, JP) ; Kambayashi; Toru; (Kanagawa,
JP) |
Correspondence
Address: |
Charles N.J. Ruggiero;Ohlandt, Greeley, Ruggiero & Perle, L.L.P.
10th Floor, One Landmark Square
Stamford
CT
06901-2682
US
|
Assignee: |
Kabushiki Kaisha Toshiba
|
Family ID: |
41267844 |
Appl. No.: |
12/329375 |
Filed: |
December 5, 2008 |
Current U.S.
Class: |
713/171 |
Current CPC
Class: |
H04L 9/083 20130101;
H04L 2209/60 20130101; H04L 9/14 20130101; H04L 9/0891
20130101 |
Class at
Publication: |
713/171 |
International
Class: |
H04L 9/00 20060101
H04L009/00 |
Foreign Application Data
Date |
Code |
Application Number |
May 8, 2008 |
JP |
2008-122177 |
Claims
1. A communication apparatus comprising: a receiving unit that
receives, from at least another communication apparatus, a
plurality of encrypted pieces obtained by encrypting a plurality of
pieces that constitute a part of a content by using mutually
different encryption keys; a memory to store the encrypted pieces
received by the receiving unit, with corresponding identifiers; a
key obtaining unit that obtains a part or all of decryption keys
used for decrypting the encrypted pieces; a list obtaining unit
that obtains an invalid piece list showing one or more identifiers
of one or more encrypted pieces that have already been invalidated;
and a deleting unit that deletes at least one of the encrypted
pieces from the memory according to an obtainment status of the
encrypted pieces or an obtainment status of the decryption keys,
when the at least one of the encrypted pieces is listed in the
invalid piece list.
2. The apparatus according to claim 1, wherein the deleting unit
deletes the at least one of the encrypted pieces from the memory,
when at least one of the encrypted pieces is listed in the invalid
piece list.
3. The apparatus according to claim 1, wherein the deleting unit
includes a determining unit that determines whether at least one of
the encrypted pieces is deleted, according to a ratio of pieces
received as the encrypted pieces to the plurality of pieces, when
the at least one of the encrypted pieces is listed in the invalid
piece list, and a piece deleting unit that deletes at least one of
the encrypted pieces from the memory according to a result of
determination of the determining unit.
4. The apparatus according to claim 1, wherein the deleting unit
includes a determining unit that determines whether at least one of
the encrypted pieces is deleted when the at least one of the
encrypted pieces is listed in the invalid piece list, according to
whether a part or all of the decryption keys are obtained; and a
piece deleting unit that deletes the at least one of the encrypted
pieces from the memory according to a result of determination of
the determining unit.
5. The apparatus according to claim 1, wherein the content
receiving unit receives, from at least another communication
apparatus, an encrypted piece from which a same piece can be
decrypted as from the at least one of the encrypted pieces, by
using a decryption key different from the decryption key used for
decrypting the at least one of the encrypted pieces, when the at
least one of the encrypted pieces is deleted from the memory.
6. The apparatus according to claim 1, wherein the list obtaining
unit obtains the invalid piece list by receiving the invalid piece
list from at least one of the at least another communication
apparatus and a management server, the management server storing
connection destination information used for accessing the at least
another communication apparatus and transmitting the connection
destination information to the communication apparatus.
7. The apparatus according to claim 1, wherein the list obtaining
unit obtains the invalid piece list showing one or more hash values
calculated by using the one or more encrypted pieces that have
already been invalidated, and the apparatus further comprises: a
calculating unit that calculates a hash value by using each of the
received encrypted pieces; and a judging unit that judges whether
any of the received encrypted pieces corresponds to the one or more
encrypted pieces that can respectively be decrypted by using the
one or more decryption keys that have already been invalidated,
according to whether any of the calculated hash values is listed in
the invalid piece list.
8. The apparatus according to claim 1, further comprising a
transmitting unit that transmits a request message for requesting
the decryption keys used for decrypting the encrypted pieces to a
key server storing the decryption keys, wherein the key obtaining
unit receives, from the key server, a part or all of the decryption
keys determined by the key server to be transmitted to the
communication apparatus in response to the request message.
9. A communication apparatus comprising: a receiving unit that
receives, from at least another communication apparatus, a
plurality of encrypted pieces obtained by encrypting a plurality of
pieces that constitute a part of a content by using mutually
different encryption keys; a key obtaining unit that obtains a part
or all of the decryption keys used for decrypting the encrypted
pieces; and a list obtaining unit that obtains an invalid piece
list showing one or more identifiers of one or more encrypted
pieces that have already been invalidated, wherein the receiving
unit requests an encrypted piece that is not listed in the invalid
piece list from the at least another communication apparatus and
receives the requested encrypted piece from the at least another
communication apparatus.
10. A server comprising: a receiving unit that receives a request
message for requesting decryption keys used for decrypting a
plurality of encrypted pieces from a communication apparatus that
receives the encrypted pieces from at least another communication
apparatus, the encrypted pieces being obtained by encrypting a
plurality of pieces that constitute a part of a content by using
mutually different encryption keys; a first storage unit that
stores the decryption keys; a list obtaining unit that obtains an
invalid piece list showing one or more identifiers of one or more
encrypted pieces that have already been invalidated; a determining
unit that determines whether the decryption keys are transmitted,
according to whether any of the encrypted pieces that can
respectively be decrypted by using the decryption keys requested in
the request message is listed in the invalid piece list; and a key
transmitting unit that reads the decryption keys requested in the
request message from the first storage unit and transmits the read
decryption keys to the communication apparatus, when the
determining unit has determined that the decryption keys are
transmitted.
11. The server according to claim 10, further comprising a
replacement determining unit that determines a decryption key used
for decrypting an encrypted piece from which a same piece can be
decrypted as from the encrypted piece listed in the invalid piece
list, by using a decryption key different from the decryption key
used for decrypting the encrypted piece listed in the invalid piece
list, when the determining unit has determined that the decryption
keys is not transmitted, wherein the key transmitting unit
transmits, to the communication apparatus, replacement index
information specifying the decryption key that has been determined
by the replacement determining unit, when the determining unit has
determined that the decryption keys is not transmitted.
12. The server according to claim 11, further comprising a second
storage unit that stores the encrypted pieces, wherein the key
transmitting unit transmits, to the communication apparatus, one of
the encrypted pieces together with the replacement index
information, when the determining unit has determined that the
decryption keys is not transmitted, the encrypted pieces being
stored in the second storage unit from which a same piece can be
decrypted as from the encrypted piece listed in the invalid piece
list, by using a decryption key different from the decryption key
used for decrypting the encrypted piece listed in the invalid piece
list.
13. The server according to claim 10, wherein the determining unit
determines whether the decryption keys are transmitted, based on a
combination of the decryption keys requested in the request
message.
14. A computer program product having a computer readable medium
including programmed instructions, wherein the instructions, when
executed by a computer, cause the computer to perform: receiving,
from at least another communication apparatus, a plurality of
encrypted pieces obtained by encrypting a plurality of pieces that
constitute a part of a content by using mutually different
encryption keys; storing the encrypted pieces received by the
receiving unit, with corresponding identifiers; obtaining a part or
all of decryption keys used for decrypting the encrypted pieces;
obtaining an invalid piece list showing one or more identifiers of
one or more encrypted pieces that have already been invalidated;
and deleting at least one of the encrypted pieces from the memory
according to an obtainment status of the encrypted pieces or an
obtainment status of the decryption keys, when the at least one of
the encrypted pieces is listed in the invalid piece list.
15. A computer program product having a computer readable medium
including programmed instructions, wherein the instructions, when
executed by a computer, cause the computer to perform: receiving a
request message for requesting decryption keys used for decrypting
a plurality of encrypted pieces from a communication apparatus that
receives the encrypted pieces from at least another communication
apparatus, the encrypted pieces being obtained by encrypting a
plurality of pieces that constitute a part of a content by using
mutually different encryption keys; obtaining an invalid piece list
showing one or more identifiers of one or more encrypted pieces
that have already been invalidated; determining whether the
decryption keys are transmitted, according to whether any of the
encrypted pieces that can respectively be decrypted by using the
decryption keys requested in the request message is listed in the
invalid piece list; and reading the decryption keys requested in
the request message from a storage unit, when it has been
determined that the decryption keys are transmitted, and
transmitting the read decryption keys to the communication
apparatus.
Description
CROSS-REFERENCE TO RELATED APPLICATIONS
[0001] This application is based upon and claims the benefit of
priority from the prior Japanese Patent Application No.
2008-122177, filed on May 8, 2008; the entire contents of which are
incorporated herein by reference.
BACKGROUND OF THE INVENTION
[0002] 1. Field of the Invention
[0003] The present invention relates to a communication apparatus
that receives an encrypted content encrypted with an encryption key
from another communication apparatus, a server that transmits a
decryption key used for decrypting the encrypted content, and a
computer program product therefor.
[0004] 2. Description of the Related Art
[0005] Generally speaking, systems used for distributing contents
include "single server" systems and "distributed server" systems.
In a single-server system, for example, one content server is
connected to a license server and clients via a network so that a
content is distributed from the content server to each of the
clients. The distributed content is encrypted, and key information
related to the encryption process is stored in the license server.
The content server stores the content therein as E(KT) [C]. In this
expression, "KT" is a key called a title key, whereas "C" is a
content in plain text. E(KT) [C] means that "C" is encrypted with
"KT". The key information contains "KT". A client B obtains the key
information from the license server, encrypts the key information
with a key KB that is unique to the client (i.e., the client B),
and stores therein the encrypted key information in correspondence
with the content E(KT) [C] that has been received from the content
server. After that, the client B decrypts the key information with
the key KB, takes out the title key KT, and decrypts the content
E(KT) [C] with the title key KT. Thus, the client B is able to use
the content.
[0006] In this configuration, when the client B downloads the
content E(KT) [C] from the content server, the client B and the
content server perform an authentication process and a key exchange
process with each other. As a result, the client B shares a
temporary key KtmpB. The content server encrypts the content E(KT)
[C] with the temporary key KtmpB and transmits a content E(KtmpB)
[E(KT) [C]] to the client B. The client B decrypts the content
E(KtmpB) [E(KT) [C]] with the temporary key KtmpB that the client B
shares with the content server as a result of the authentication
and the key exchange processes described above and takes out E(KT)
[C]. In this configuration, even if the encrypted content E(KtmpB)
[E(KT) [C]] is illegitimately read on a path in the network, it is
not possible to decrypt the illegitimately read content unless the
temporary key KtmpB is available. In other words, the content is
encrypted with the temporary key that is different for each of the
clients, so that the content is individualized for each of the
clients. As a result, it is possible to inhibit illegitimate use of
the content. For example, by configuring a temporary key KtmpA for
a client A and the temporary key KtmpB for the client B so as to be
different from each other, a content E(KtmpA) [E(KT) [C]]
distributed to the client A and the content E(KtmpB) [E(KT) [C]]
distributed to the client B are mutually different individual
pieces of data. By individualizing the content with the mutually
different encryption keys in this manner, it is possible to inhibit
illegitimate use of the content.
[0007] In a single-server system, however, because the
communication is performed between each of the clients and the
content server in a one-to-one manner, when a large number of
clients try to receive the distribution of a content from the
content server, a problem arises where the level of distribution
efficiency is lowered.
[0008] On the other hand, examples of the distributed-server
systems include a content distribution system called BitTorrent
that uses a peer-to-peer (P2P) network (see, for example,
BitTorrent Protocol Specification v. 1.0). In this system, a
tracker that is different for each of the contents, a seeder, and a
leecher are connect to one another by using the P2P network. Also,
each of the distributed contents is divided into a plurality of
pieces. The seeder is a node that distributes the pieces
constituting a content for the purpose of distributing (i.e.,
uploading) the content. The leecher is a node that receives the
pieces constituting the content and distributes the pieces
constituting the content for the purpose of receiving (i.e.,
downloading) the content. In other words, a leecher may become a
seeder when the leecher has obtained a certain number of pieces
that constitute the content. Thus, some of the seeders have become
a seeder after a leecher has received a part or all of the pieces
that constitute a content, and other seeders are each a seeder
(from the beginning) that is provided on the system side (in
advance or during a distribution). The latter type of seeders will
be referred to as initial seeders. An initial seeder stores therein
a part or all of the pieces that constitute one content. In the
explanation below, a "seeder" denotes either a seeder or an initial
seeder, unless stated otherwise. A node denotes one of a leecher, a
seeder, and an initial seeder. A tracker stores therein node
information related to each of the nodes. When a leecher has
accessed the tracker, the tracker provides the node information for
the leecher.
[0009] In this configuration, when a leecher is to receive a
distribution of a content, the leecher first obtains information
called a Torrent File. The Torrent File is, for example, given from
a server (hereinafter, a "sales server") offering a service of
selling contents to content providers or users, to another node or
another sales server, and is further given by said another node or
said another sales server to a leecher. Alternatively, another
arrangement is acceptable in which the Torrent File is recorded on
a recording medium like a Compact Disk Read-Only Memory (CD-ROM)
and distributed offline to a leecher. The Torrent File stores
therein tracker information related to the content and file
information of the content. The tracker information contains a
connection destination of the tracker. The file information
contains, for example, hash information of the pieces that
constitute the content. The hash information is used for checking
the completeness of the pieces. In other words, the hash
information is used for calculating hash values of the pieces
downloaded by the leecher, comparing the calculated hash values
with hash values of the pieces, and checking to see if the received
pieces have not been tampered.
[0010] When having obtained the Torrent File, the leecher connects
to the tracker based on the tracker information. The tracker
transmits the node information described above to the leecher. The
node information contains a list of connection destinations of one
or more nodes. The leecher connects to a plurality of nodes, based
on the node information. As for the pieces distributed by the
nodes, it is often the case that the pieces are mutually different
for each of the nodes. Because the leecher is able to receive the
mutually different pieces from the plurality of nodes, the leecher
is able to receive the content at a high speed.
[0011] As explained above, in such a content distribution system
that uses a P2P network, the content is stored as being distributed
in the plurality of nodes. Thus, in such a system, even if a large
number of nodes try to receive the distribution of the content,
each of the node is able to receive the distribution of the content
from the plurality of other nodes via the P2P network. Thus, P2P
content distribution systems have a higher level of distribution
efficiency than single-server systems.
[0012] In a content distribution system as described above where it
is possible to distribute a content through a plurality of nodes,
it is also desirable to protect the distributed content with an
encryption process so that it is possible to inhibit illegitimate
use of the content. In such a content distribution system, however,
a content that is received by mutually different leechers from a
seeder must be the same for all the leechers even after the content
has been encrypted, unlike in a single-server system. Thus, it is
difficult to distribute an individually encrypted content to each
of the leechers. Consequently, if one key that is used for
decrypting the encrypted content is disclosed, there is a
possibility that it may become possible to decrypt all of the large
number contents that are present in the network.
[0013] On the other hand, U.S. Publication Pat. No. 3,917,395
discloses a content distributing method by which a content is
divided into a plurality of pieces and, for each of the pieces, a
plurality of encrypted pieces are generated by encrypting the piece
with a plurality of encryption keys.
[0014] The content distributing method disclosed in U.S.
Publication Pat. No. 3,917,395 requires that each of the users who
are to receive the distribution of the content should obtain all
the encrypted pieces. Thus, when this content distributing method
is applied to a P2P content distribution system without any
modification, there is a possibility that the level of distribution
efficiency may be lowered. Further, even if there are a plurality
of keys used for decrypting the encrypted content, if the keys are
disclosed, there is a possibility that it may become possible to
decrypt the content without having to legitimately obtain the
decryption keys.
SUMMARY OF THE INVENTION
[0015] According to one aspect of the present invention, a
communication apparatus includes a receiving unit that receives,
from at least another communication apparatus, a plurality of
encrypted pieces obtained by encrypting a plurality of pieces that
constitute a part of a content by using mutually different
encryption keys; a memory to store the encrypted pieces received by
the receiving unit, with corresponding identifiers; a key obtaining
unit that obtains a part or all of decryption keys used for
decrypting the encrypted pieces; a list obtaining unit that obtains
an invalid piece list showing one or more identifiers of one or
more encrypted pieces that have already been invalidated; and a
deleting unit that deletes at least one of the encrypted pieces
from the memory according to an obtainment status of the encrypted
pieces or an obtainment status of the decryption keys, when the at
least one of the encrypted pieces is listed in the invalid piece
list.
[0016] According to another aspect of the present invention, a
communication apparatus includes a receiving unit that receives,
from at least another communication apparatus, a plurality of
encrypted pieces obtained by encrypting a plurality of pieces that
constitute a part of a content by using mutually different
encryption keys; a key obtaining unit that obtains a part or all of
the decryption keys used for decrypting the encrypted pieces; and a
list obtaining unit that obtains an invalid piece list showing one
or more identifiers of one or more encrypted pieces that have
already been invalidated, wherein the receiving unit requests an
encrypted piece that is not listed in the invalid piece list from
the at least another communication apparatus and receives the
requested encrypted piece from the at least another communication
apparatus.
[0017] According to still another aspect of the present invention,
a server includes a receiving unit that receives a request message
for requesting decryption keys used for decrypting a plurality of
encrypted pieces from a communication apparatus that receives the
encrypted pieces from at least another communication apparatus, the
encrypted pieces being obtained by encrypting a plurality of pieces
that constitute a part of a content by using mutually different
encryption keys; a first storage unit that stores the decryption
keys; a list obtaining unit that obtains an invalid piece list
showing one or more identifiers of one or more encrypted pieces
that have already been invalidated; a determining unit that
determines whether the decryption keys are transmitted, according
to whether any of the encrypted pieces that can respectively be
decrypted by using the decryption keys requested in the request
message is listed in the invalid piece list; and a key transmitting
unit that reads the decryption keys requested in the request
message from the first storage unit and transmits the read
decryption keys to the communication apparatus, when the
determining unit has determined that the decryption keys are
transmitted.
[0018] According to still another aspect of the present invention,
a computer program product having a computer readable medium
including programmed instructions, wherein the instructions, when
executed by a computer, cause the computer to perform: receiving,
from at least another communication apparatus, a plurality of
encrypted pieces obtained by encrypting a plurality of pieces that
constitute a part of a content by using mutually different
encryption keys; storing the encrypted pieces received by the
receiving unit, with corresponding identifiers; obtaining a part or
all of decryption keys used for decrypting the encrypted
pieces;
[0019] obtaining an invalid piece list showing one or more
identifiers of one or more encrypted pieces that have already been
invalidated; and deleting at least one of the encrypted pieces from
the memory according to an obtainment status of the encrypted
pieces or an obtainment status of the decryption keys, when the at
least one of the encrypted pieces is listed in the invalid piece
list.
[0020] According to still another aspect of the present invention,
a computer program product having a computer readable medium
including programmed instructions, wherein the instructions, when
executed by a computer, cause the computer to perform: receiving a
request message for requesting decryption keys used for decrypting
a plurality of encrypted pieces from a communication apparatus that
receives the encrypted pieces from at least another communication
apparatus, the encrypted pieces being obtained by encrypting a
plurality of pieces that constitute a part of a content by using
mutually different encryption keys; obtaining an invalid piece list
showing one or more identifiers of one or more encrypted pieces
that have already been invalidated; determining whether the
decryption keys are transmitted, according to whether any of the
encrypted pieces that can respectively be decrypted by using the
decryption keys requested in the request message is listed in the
invalid piece list; and reading the decryption keys requested in
the request message from a storage unit, when it has been
determined that the decryption keys are transmitted, and
transmitting the read decryption keys to the communication
apparatus.
BRIEF DESCRIPTION OF THE DRAWINGS
[0021] FIG. 1 is a block diagram of a content distribution system
according to an exemplary embodiment of the present invention;
[0022] FIG. 2 is a schematic drawing for explaining how a content
is divided into a plurality of pieces;
[0023] FIG. 3 is a schematic diagram illustrating encrypted
pieces;
[0024] FIG. 4 is a diagram illustrating an example of encrypted
pieces stored in a seeder 52A;
[0025] FIG. 5 is a diagram illustrating another example of the
encrypted pieces stored in the seeder 52A;
[0026] FIG. 6 is a diagram illustrating yet another example of the
encrypted pieces stored in the seeder 52A;
[0027] FIG. 7 is a diagram illustrating an example of a data
structure of piece information;
[0028] FIG. 8 is an exemplary functional diagram of a leecher
50;
[0029] FIG. 9 is a diagram illustrating an example of a Torrent
File;
[0030] FIG. 10 is an exemplary functional diagram of a key server
53;
[0031] FIG. 11 is a diagram illustrating an example of a data
structure of node information;
[0032] FIGS. 12A and 12B are flowcharts of a procedure in a content
distributing process;
[0033] FIG. 13 is a flowchart of a procedure in a comparing
process;
[0034] FIG. 14 is a flowchart of a procedure in an invalid
encrypted piece deleting process and a substitute encrypted piece
obtaining process according to a modification example of the
embodiment; and
[0035] FIG. 15 is a flowchart of a procedure in a comparing process
according to a modification example of the embodiment.
DETAILED DESCRIPTION OF THE INVENTION
[0036] FIG. 1 is a block diagram of a content distribution system
according to an exemplary embodiment of the present invention. In
the content distribution system according to the present
embodiment, leechers 50A, 50B, a tracker 51, seeders 52A, 52B, 52C,
and a sales server 54 are connected together via a P2P network NT.
Each of the leechers 50A and 50B is connected to the key server 53
via a network like the Internet (not shown). In this situation,
each of the leechers 50A and 50B and the seeders 52A, 52B, and 52C
is a node. Each of the seeders 52A, 52B, and 52C stores therein
encrypted pieces obtained by encrypting a plurality of pieces into
which a content has been divided, with mutually different
encryption keys. In the following explanation, a content that is
constituted with such encrypted pieces will be referred to as an
encrypted content. The details of such an encrypted content will be
explained later. Of the seeders 52A, 52B, and 52C, the seeder 52A
functions as an initial seeder, which is explained above. The
seeder 52A stores therein all of the encrypted pieces that have
been generated by encrypting each of the pieces constituting the
one content by using a plurality of encryption keys per piece. The
tracker 51 stores therein node information used for accessing each
of the nodes. The key server 53 stores therein decryption keys used
for decrypting the encrypted pieces. The sales server 54 stores
therein a Torrent File.
[0037] The leecher 50A receives the Torrent File from the sales
server 54, obtains the node information by accessing the tracker 51
based on the Torrent File, receives the decrypted pieces by
accessing at least one of the seeders 52A, 52B, 52C, and the
leecher 50B based on the obtained node information, obtains all the
encrypted pieces corresponding to the pieces, and receives a
key-ring containing the decryption keys that are respectively used
for decrypting the encrypted pieces from the key server 53. The
leecher 50B also performs the same processes. In the following
explanation, in the case where the leechers 50A and 50B do not need
to be distinguished from each other, each of them will be simply
referred to as the leecher 50. Similarly, in the case where the
seeders 52A, 52B, and 52C do not need to be distinguished from one
another, each of them will be simply referred to as the seeder
52.
[0038] Next, a configuration of the content will be explained. The
content is any of various types of digital data such as
moving-picture data and audio data like Moving Picture Experts
Group (MPEG) 2 and MPEG 4 as well as text data and still image
data. Also, data that is obtained by encrypting such digital data
will be also referred to as a content. For example, data that is
obtained by encrypting a High Definition Digital Versatile Disk (HD
DVD) prepared video content according to the Advanced Access
Content System (AACS) specifications can also serve as a content.
In the following explanation, the entire content will be identified
as "C". The content "C" may be in plain text or encrypted. FIG. 2
is a schematic drawing for explaining how the content is divided
into a plurality of pieces. For example, one content (i.e., the
content C in the present example) is divided into as many pieces as
N (N>1), the pieces being identified as C1 to CN. The data
lengths of the pieces C1, C2, . . . , CN may all be equal or may be
different from one another. The pieces C1 to CN, the quantity of
which is equal to "N", are encrypted with mutually different
encryption keys. In this situation, of the N pieces, each of as
many pieces as "a" is encrypted by using as many mutually different
encryption keys as "m" per piece. Each of the remaining pieces, the
quantity of which is equal to "N-a", is encrypted by using one
encryption key per piece. In other words, as for each of some of
the pieces the quantity of which is equal to "a", the piece is
encrypted with the mutually different encryption keys the quantity
of which is equal to "m", so that the mutually different pieces
(i.e., the encrypted pieces) the quantity of which is equal to "m"
are generated. As for each of the other pieces the quantity of
which is equal to "N-a", the piece is encrypted with the one
encryption key so that the one encrypted piece is generated for the
one piece. FIG. 3 is a schematic diagram illustrating the encrypted
pieces. It is possible to individualize the entire encrypted
content that is constituted with as many encrypted pieces as "N",
by differentiating the combination of encrypted pieces that is
obtained by selecting one out of as many encrypted pieces as "m"
for each of the pieces the quantity of which is equal to "a".
[0039] Next, a hardware configuration of each of the apparatuses
such as the leecher 50, the tracker 51, the seeder 52, and the key
server 53 will be explained. Each of the apparatuses includes: a
controlling device such as a Central Processing Unit (CPU) that
exercises the overall control of the apparatus; storage devices
such as a Read-Only Memory (ROM) and a Random Access Memory (RAM)
that store therein various types of data and various types of
computer programs (hereinafter, "programs"); external storage
devices such as a Hard Disk Drive (HDD) and a Compact Disk (CD)
drive device that store therein various types of data and various
types of programs; and a bus that connects these constituent
elements to one another. Each of the apparatuses has a hardware
configuration to which a commonly-used computer can be applied. In
addition, a display device that displays information, input devices
such as a keyboard and a mouse that receive inputs of instructions
from the user, and a communication interface (I/F) that controls
communication with external apparatuses are connected to each of
the apparatuses in a wired or wireless manner.
[0040] Next, a functional configuration of the seeder 52 will be
explained. The seeder 52 stores therein the encrypted pieces that
have been obtained by encrypting the plurality of pieces C1 to CN
constituting the content C, in correspondence with indexes (i.e.,
suffixes) of the decryption keys that are used for decrypting the
pieces C1 to CN, respectively. The decryption keys may be the same
as the encryption keys or may be different from the encryption
keys. In either situation, because the pieces C1 to CN have been
encrypted with the encryption keys respectively, it is possible to
identify each of the encrypted pieces by using the index of the
corresponding one of the decryption keys used for decrypting the
encrypted piece. These encrypted pieces are stored in, for example,
an external storage device.
[0041] To simplify the explanation in the following sections, it is
assumed that the encryption keys are identical to the decryption
keys, respectively. In the case where the index of each decryption
key is expressed as (i, j), and the decryption key is expressed as
K(i, j), each encrypted piece can be expressed as below, for
example:
E(K(i, j)) [Cj]
where i and j are integers that satisfy 1.ltoreq.i.ltoreq.m and
1.ltoreq.j.ltoreq.N (m>1); With regard to mutually different
indexes (i, j) and (i', j') where (i, j).noteq.(i', j'), K(i,
j)=K(i', j') may be satisfied.
[0042] The encrypted content that is constituted with the encrypted
pieces can be expressed as below, for example:
{E(K(i1, 1)) [C1], E(K(i2, 2)) [C2], . . . , E(K(iN, N)) [CN]}
where 1.ltoreq.i1, . . . , iN.ltoreq.m is satisfied.
[0043] The sequence of the encrypted pieces in the encrypted
content is expressed with the combination of the indexes of the
encrypted pieces and can be expressed as below, for example (In the
example below, the indexes corresponding to the pieces C1 to CN are
arranged in a row from the left side):
{(i1, 1), (i2, 2), . . . , (iN, N)}
where 1.ltoreq.i1, . . . , iN.ltoreq.m is satisfied.
[0044] Accordingly, what is stored in the seeder 52 while keeping
the encrypted pieces in correspondence with the indexes can be
expressed as below, for example:
{(E(K(i1, 1)) [C1], (i1, 1)), E(K(i2, 2)) [C2], (i2, 2)), . . . ,
E(K(iN, N)) [CN], (iN, N))}
where 1.ltoreq.i1, . . . , iN.ltoreq.m is satisfied.
[0045] Further, the seeder 52A, which is an initial seeder, stores
therein all the encrypted pieces that have been generated by
encrypting each of the encrypted pieces that respectively
correspond to the pieces constituting the content, by using the
plurality of encryption keys per piece. FIG. 4 is a diagram
illustrating an example of the encrypted pieces stored in the
seeder 52A. In FIG. 4, it is indicated that, of the N pieces, each
of as many pieces as "a" (where 1<a<N) is encrypted by using
the plurality of mutually different encryption keys per piece. In
the example shown in FIG. 4, the number of encryption keys used for
encrypting each piece is different for the different pieces. The
number of encryption keys used for encrypting the piece C1 is m,
whereas the number of encryption keys used for encrypting the piece
C3 is two. According to the present embodiment, however, another
arrangement is acceptable in which the number of encryption keys
used for encrypting each piece is the same for all of the pieces.
In a piece processing apparatus, with this arrangement where, of
the N pieces, each of as many pieces as "a" (where 1<a<N) is
encrypted by using the plurality of mutually different encryption
keys per piece, it is possible to have a configuration so that, for
example, the higher the level of importance is, the larger the
number of encryption keys is.
[0046] The present embodiment is not limited to the example
described above. For example, another arrangement is acceptable in
which "a=N" is satisfied as shown in FIG. 5, so that each of all
the N pieces is encrypted by using as many mutually different
encryption keys as "m" per piece. With this arrangement, it is
possible to increase the number of variations of the sequence of
the encrypted pieces. Further, yet another arrangement is
acceptable in which "a=1" is satisfied as shown in FIG. 6, so that
only one of the N pieces is encrypted with as many mutually
different encryption keys as "m". With this arrangement, it is
possible to improve the level of distribution efficiency.
[0047] In the configuration as described above, when being accessed
by the leecher 50, the seeder 52 transmits piece information to the
leecher 50, the piece information indicating the sequence of the
encrypted pieces stored in the seeder 52. FIG. 7 is a diagram
illustrating an example of a data structure of the piece
information. In FIG. 7, it is indicated that the encrypted piece
corresponding to the piece C1 is to be decrypted with a decryption
key K(1, 1), whereas the encrypted piece corresponding to the piece
C2 is to be decrypted with a decryption key K(3, 2). In other
words, the piece information indicates the correspondence
relationship between the encrypted pieces and the decryption keys
each of which is used for decrypting a different one of the
encrypted pieces. When having been requested by the leecher 50 to
distribute an encrypted piece based on the piece information, the
seeder 52 judges whether the requested encrypted piece is stored
therein. In the case where the result of the judging process is in
the affirmative, the seeder 52 transmits the requested encrypted
piece to the leecher 50.
[0048] Next, various types of functions that are realized in the
hardware configuration described above when the CPU of the leecher
50 executes the various types of programs stored in the storage
devices and the external storage devices will be explained. FIG. 8
is an exemplary functional diagram of the leecher 50. The leecher
50 includes a content obtaining unit 500, a key-ring requesting
unit 501, a key-ring obtaining unit 502, a content decrypting unit
503, and an invalid-piece list obtaining unit 504. The actual
substance of each of these constituent elements is generated in a
storage device (e.g., the RAM) when the CPU executes the
programs.
[0049] The content obtaining unit 500 receives the encrypted pieces
that constitute the encrypted content from at least one of the
seeders 52, via the P2P network NT and stores the received
encrypted pieces into a storage device like the RAM or an external
storage device. More specifically, the content obtaining unit 500
first receives a Torrent File from the sales server 54. The Torrent
File contains tracker information including tracker connection
destination information used for connecting to the tracker 51 and
file information indicating what encrypted pieces constitute the
encrypted content. FIG. 9 is a diagram illustrating an example of
the Torrent File. In FIG. 9, as for the file information, the
indexes corresponding to the encrypted pieces are shown as the
information used for identifying each of the encrypted pieces.
[0050] Based on the Torrent File, the content obtaining unit 500
accesses the tracker 51 via the P2P network NT and receives, from
the tracker 51, node information used for accessing the other nodes
(e.g., the seeders 52 and other leechers 50) connected to the P2P
network NT. (The node information will be explained in detail
later.) After that, based on the node information, the content
obtaining unit 500 accesses at least one of the nodes and obtains
piece information indicating the sequence of encrypted pieces
stored in the node. Based on the piece information, the content
obtaining unit 500 then receives the encrypted pieces that
constitute the encrypted content from at least one of the nodes so
as to obtain all the encrypted pieces (hereinafter, the "piece
sequence") that constitute the encrypted content. For example, of
the encrypted pieces shown in FIG. 3, the content obtaining unit
500 obtains all the encrypted pieces that are shown with hatching
as the piece sequence.
[0051] Also, the content obtaining unit 500 refers to an invalid
piece list that has been obtained by the invalid-piece list
obtaining unit 504 (explained below) and judges whether each of the
obtained encrypted pieces is an encrypted piece that is invalid
(hereinafter, "invalid encrypted piece"). In the case where the
content obtaining unit 500 has judged that any of the obtained
encrypted pieces is an invalid encrypted piece, the content
obtaining unit 500 deletes the encrypted piece from the storage
device or the external storage device and obtains another encrypted
piece (hereinafter, a "substitute encrypted piece") that serves as
a substitute for the deleted encrypted piece. More specifically,
the substitute encrypted piece is an encrypted piece from which the
same piece can be decrypted as from the encrypted piece that has
been judged to be an invalid encrypted piece, by using a decryption
key that is different from the decryption key used for decrypting
the judged encrypted piece.
[0052] The invalid-piece list obtaining unit 504 obtains the
invalid piece list from the tracker 51. The invalid piece list
shows one or more identifiers of one or more encrypted pieces that
can respectively be decrypted by using one or more decryption keys
that have been disclosed and have already been invalidated. For the
sake of convenience of the explanation, the encrypted pieces listed
in the invalid piece list will be referred to as invalid encrypted
pieces. The identifiers of the encrypted pieces listed in the
invalid piece list can be in any form as long as the identifiers
make it possible to identify each of the encrypted pieces. Each of
the identifiers may be, for example, a hash value of a
corresponding one of the encrypted pieces. More specifically, for
example, the invalid piece list shows, for each of the encrypted
pieces that can respectively be decrypted with the decryption keys
that have already been invalidated, the index of the piece and a
hash value of the encrypted piece. For example, each of the hash
values of the encrypted pieces can be expressed as below:
{hash(E(K(i, j)) [Cj])}
where 1.ltoreq.i.ltoreq.m and 1.ltoreq.j.ltoreq.N are
satisfied.
[0053] Each of such encrypted pieces of which the hash value is
listed in the invalid piece list is judged to be an invalid
encrypted piece.
[0054] The key-ring requesting unit 501 transmits a request message
to the key server 53 to request a key-ring used for decrypting the
piece sequence. The key-ring contains the decryption keys used for
decrypting the encrypted pieces in the piece sequence in
correspondence with the sequence of the encrypted pieces. The
key-ring and the decryption keys will be explained in detail later.
The request message contains index information as information that
specifies the sequence of the decryption keys contained in the
key-ring, the index information indicating the combination (i.e.,
the sequence) of the indexes of the encrypted pieces in the piece
sequence.
[0055] For example, the sequence can be expressed as below:
{(i1, 1), (i2, 2), . . . , (iN, N)}
where 1.ltoreq.i1, . . . , iN.ltoreq.m is satisfied.
[0056] The key-ring obtaining unit 502 receives the key-ring that
has been transmitted from the key server 53 in response to the
request message. The content decrypting unit 503 decrypts the
encrypted pieces that have been obtained by the content obtaining
unit 500, with the decryption keys that are contained in the
key-ring obtained by the key-ring obtaining unit 502 and that
correspond to the encrypted pieces respectively. The content
decrypting unit 503 thus obtains the content that is constituted
with the pieces resulting from the decryption process.
[0057] There is a situation in which the leecher 50 functions as a
seeder, as explained above; however, because the functional
configuration of a seeder has already been explained in the
description of the seeder 52, the explanation thereof will be
omitted.
[0058] Next, various types of functions that are realized when the
CPU of the key server 53 executes the various types of programs
stored in the storage devices and the external storage devices will
be explained. FIG. 10 is an exemplary functional diagram of the key
server 53. The key server 53 includes a controlling unit 530, a
packet processing unit 531, a network interface unit 532, an
authentication/key exchange processing unit 533, a key storage unit
534, a sequence information storage unit 536, a sequence
information comparing unit 535, and a key supplying unit 537. The
actual substance of each of the units such as the controlling unit
530, the sequence information comparing unit 535, the network
interface unit 532, the packet processing unit 531, the
authentication/key exchange processing unit 533, and the key
supplying unit 537 is generated in a storage device (e.g., the RAM)
when the CPU executes the programs. The key storage unit 534 is,
for example, stored in an external storage device.
[0059] The controlling unit 530 controls the entirety of the key
server 53 and also intermediates instructions from the sequence
information comparing unit 535 to the key supplying unit 537. The
packet processing unit 531 packetizes various types of data to be
transmitted to external apparatuses such as a leecher 50 and
forwards the packet to the network interface unit 532. The packet
processing unit 531 also obtains data, based on packets forwarded
from the network interface unit 532. The network interface unit 532
controls communication with external apparatuses, transmits the
packetized data forwarded from the packet processing unit 531 to
the external apparatuses, and forwards the packets received from
the external apparatuses to the packet processing unit 531.
[0060] The authentication/key exchange processing unit 533 performs
a mutual authentication process with the leecher 50 via the network
interface unit 532 and, after the authentication process has been
finished, receives the index information from the leecher 50.
[0061] The key storage unit 534 is provided in, for example, an
external storage device such as an HDD and stores therein the
decryption keys used for decrypting the encrypted pieces. Each of
the decryption keys is expressed as, for example, K(i, j), as
explained above.
[0062] The sequence information storage unit 536 is provided in,
for example, an external storage device such as an HDD and stores
therein sequence information indicating the sequences that
respectively correspond to all the key-rings that were transmitted
to the leechers 50 in the past. For example, the sequences that
respectively correspond to the key-rings can be expressed as below,
like the sequences indicated in the index information described
above:
{(i1, 1), (i2, 2), . . . , (iN, N)}
where 1.ltoreq.i1, . . . , iN.ltoreq.m is satisfied.
[0063] The sequence information comparing unit 535 compares the
sequence information stored in the sequence information storage
unit 536 with the index information received from the leecher 50
and determines whether the key-ring corresponding to the sequence
indicated in the index information should be transmitted. More
specifically, in the case where the sequence information storage
unit 536 stores therein no sequence information indicating the same
sequence as the sequence indicated in the index information, the
sequence information comparing unit 535 determines that the
key-ring corresponding to the sequence indicated in the index
information should be transmitted. For example, the key-ring can be
expressed as below (In the example below, the decryption keys that
respectively correspond to the pieces C1 to CN are arranged in a
row from the left side):
{K(i1, 1), K(i2, 2), . . . , K(iN, N)}
where 1.ltoreq.i1, . . . , iN.ltoreq.m is satisfied.
[0064] In the case where the sequence information comparing unit
535 has determined that the key-ring should be transmitted, the
sequence information comparing unit 535 instructs, via the
controlling unit 530, the key supplying unit 537 to transmit the
key-ring to the leecher 50. On the contrary, in the case where the
sequence information comparing unit 535 has determined that the
key-ring should not be transmitted, the sequence information
comparing unit 535 instructs, via the controlling unit 530, the key
supplying unit 537 that the transmission of the key-ring to the
leecher 50 is prohibited.
[0065] According to the instruction received from the sequence
information comparing unit 535 via the controlling unit 530
instructing that the key-ring should be transmitted, the key
supplying unit 537 reads the decryption keys that correspond to the
sequence of the key-ring out of the key storage unit 534 and
transmits the key-ring that contains the read decryption keys to
the leecher 50 via the network interface unit 532.
[0066] Next, a configuration of the tracker 51 will be explained.
When being accessed by the leecher 50, the tracker 51 transmits the
node information to the leecher 50, the node information being used
for accessing the nodes connected to the P2P network NT. The node
information contains sets each made up of an IP address and a port
number of a different one of the nodes. FIG. 11 is a diagram
illustrating an example of a data structure of the node
information. In FIG. 11, each of the nodes A and B is any one of
the leechers 50A and 50B and the seeders 52A, 52B, and 52C, and a
set made up of the IP address and the port number is shown for each
of the nodes. Also, the tracker 51 transmits the invalid piece list
explained above to the leecher 50.
[0067] Next, a procedure in a content distributing process
performed in the content distribution system according to the
present embodiment will be explained, with reference to FIGS. 12A
and 12B. The leecher 50 is able to receive encrypted pieces from
any of the other leechers 50; in the following explanation,
however, for the sake of convenience of the explanation, it is
assumed that the leecher 50 receives the encrypted pieces from at
least one of the seeders 52A, 52B, and 52C.
[0068] First, the leecher 50 accesses the sales server 54 and
obtains the Torrent File (Step S1). After that, the leecher 50
accesses the tracker 51 by using the tracker connection destination
information included in the tracker information contained in the
Torrent File (Step S2). The tracker 51 then transmits the node
information and the invalid piece list to the leecher 50 (Step S3).
When the leecher 50 has received the node information and the
invalid piece list (Step S4), the leecher 50 accesses, for example,
at least one of the seeders 52A, 52B, and 52C by using the node
information (Step S5). When the seeder 52 is accessed by the
leecher 50, the seeder 52 transmits the piece information to the
leecher 50 so as to indicate the sequence of the encrypted pieces
stored therein (Step S6).
[0069] When the leecher 50 has received the piece information (Step
S7), the leecher 50 accesses at least one of the seeders 52 by
using the piece information (Step S8). From the seeder 52, the
leecher 50 requests, for each of the pieces C1 to CN, at least one
of the plurality of encrypted pieces that can possibly exist in
correspondence with the piece, so that the leecher 50 is able to
receive the encrypted pieces. In response to the request from the
leecher 50, the seeder 52 transmits the encrypted piece stored
therein to the leecher 50 (Step S9). More specifically, for
example, by using the piece information that has been received by
accessing the seeder 52B, the leecher 50 judges whether the seeder
52B stores therein the encrypted piece corresponding to "i1=1"
among the encrypted pieces E(K(i1, 1)) [C1] (where i1 is an integer
that satisfies 1.ltoreq.i1.ltoreq.m) obtained by encrypting the
piece C1. In the case where the result of the judging process is in
the affirmative, the leecher 50 accesses the seeder 52B and obtains
the encrypted piece E(K(1, 1)) [C1] by receiving it from the seeder
52B. In the case where the seeder 52B actually does not store
therein the encrypted piece E(K(1, 1)) [C1], the leecher 50
subsequently accesses another seeder 52 (e.g., the seeder 52C) and
obtains piece information from said another seeder (e.g., the
seeder 52C). In the same manner as described above, by using the
piece information, the leecher 50 judges whether the seeder 52C
stores therein the encrypted piece. In the case where the result of
the judging process is in the affirmative, the leecher 50 accesses
the seeder 52C and attempts to obtain the encrypted piece.
[0070] When having obtained the one of the encrypted pieces from
the seeder 52, the content obtaining unit 500 included in the
leecher 50 judges whether the encrypted piece is an invalid
encrypted piece by referring to the invalid piece list obtained at
Step S4 (Step S9.1). More specifically, the content obtaining unit
500 calculates a hash value of the obtained encrypted piece and
judges whether the calculated hash value is listed in the invalid
piece list. In the case where the calculated hash value is listed
in the invalid piece list, the content obtaining unit 500 judges
that the encrypted piece is an invalid encrypted piece according to
the invalid piece list obtained at Step S4. In that situation (Yes
at Step S9.1), the content obtaining unit 500 performs an invalid
encrypted piece deleting process and a substitute encrypted piece
obtaining process. More specifically, after deleting the encrypted
piece obtained at Step S7, the content obtaining unit 500 requests,
from the seeder 52, a substitute encrypted piece from which the
same piece can be decrypted as from the deleted encrypted piece, by
using a decryption key that is different from the decryption key
used for decrypting the deleted encrypted piece (Step S9.2). In
response to the request from the leecher 50, the seeder 52
transmits a corresponding one of the encrypted pieces stored
therein, to the leecher 50. On the contrary, in the case where the
content obtaining unit 500 has judged at Step S9.1 that the
encrypted piece obtained from the seeder 52 is not an invalid
encrypted piece (No at Step S9.1), the content obtaining unit 500
does not perform the process at Step S9.2.
[0071] By repeating the processes at Steps S8 through S9.2, the
leecher 50 obtains all the encrypted pieces {E(K(i1, 1)) [C1],
E(K(i2, 2)) [C2], . . . , E(K(iN, N)) [CN]} that respectively
correspond to the pieces constituting the content and that
constitute the encrypted content. The key-ring requesting unit 501
included in the leecher 50 transmits the request message to the key
server 53 to request the key-ring containing the decryption keys
used for decrypting the encrypted pieces (Step S10). The request
message contains the index information {(i1, 1), (i2, 2), . . . ,
(iN, N)} indicating the sequence corresponding to the decryption
keys.
[0072] When the authentication/key exchange processing unit 533
included in the key server 53 has received the request message via
the network interface unit 532 (Step S11), the authentication/key
exchange processing unit 533 performs a mutual authentication
process with the leecher 50. In the case where the authentication
process has been performed successfully, the authentication/key
exchange processing unit 533 transmits an acceptance message to the
leecher 50 to indicate that the request has been accepted (Step
S12). When the leecher 50 has received the acceptance message from
the key server 53 (Step S13), the leecher 50 waits for the key-ring
to be transmitted from the key server 53.
[0073] On the other hand, the sequence information comparing unit
535 included in the key server 53 performs a comparing process by
using the index information contained in the request message that
has been received at Step S11 (Step S14). FIG. 13 is a flowchart of
a procedure in the comparing process. In the comparing process, the
sequence information comparing unit 535 compares the index
information contained in the request message that has been received
at Step S11 with the sequence information stored in the sequence
information storage unit 536 (Step S140) and judges whether the
sequence information storage unit 536 stores therein sequence
information indicating the same sequence as the sequence indicated
in the index information (Step S141). In other words, the sequence
information comparing unit 535 judges whether the key-ring
requested by the leecher 50 was transmitted to any of the leechers
50 in the past.
[0074] In the case where the result of the judging process is in
the negative (No at Step S141), the sequence information comparing
unit 535 determines that the key-ring {K(i1, 1), K(i2, 2), . . . ,
K(iN, N)} corresponding to the sequence indicated in the index
information should be transmitted. Thus, the sequence information
comparing unit 535 instructs, via the controlling unit 530, the key
supplying unit 537 to transmit the key-ring to the leecher 50. In
addition, the sequence information comparing unit 535 stores
sequence information indicating the sequence into the sequence
information storage unit 536 (Step S142). The key supplying unit
537 reads the key-ring of which the transmission has been
instructed by the sequence information comparing unit 535 via the
controlling unit 530 out of the key storage unit 534 and transmits
the read key-ring to the leecher 50 via the network interface unit
532 (Step S143). On the contrary, in the case where the result of
the judging process at Step S141 is in the affirmative, the
sequence information comparing unit 535 determines that the
key-ring should not be transmitted and instructs, via the
controlling unit 530, the key supplying unit 537 that the
transmission of the key-ring to the leecher 50 is prohibited (Step
S144).
[0075] Returning to the description of FIGS. 12A and 12B, in the
case where the leecher 50 has received the key-ring {K(i1, 1),
K(i2, 2), . . . , K(iN, N)} from the key server 53 (Yes at Step
S15), the leecher 50 decrypts the encrypted pieces E(K(i1, 1))
[C1], E(K(i2, 2)) [C2], . . . , E(K(iN, N)) [CN] by using the
decryption keys contained in the key-ring (Step S16) so as to
obtain the decrypted pieces C1 to CN and obtain the content C
constituted with the pieces C1 to CN. In other words, the leecher
50 decrypts E(K(i1, 1)) [C1] by using the decryption key K(i1, 1)
and obtains the piece C1, decrypts E(K(i2, 2)) [C2] by using the
decryption key K(i2, 2) and obtains the piece C2, and decrypts
E(K(iN, N)) [CN] by using the decryption key K(iN, N) and obtains
the piece CN. The leecher 50 obtains the other pieces in the same
manner. Thus, the leecher 50 has obtained the content C that is
constituted with the pieces C1 to CN.
[0076] On the contrary, in the case where the leecher 50 does not
receive the key-ring at Step S15 and has received an error message
transmitted from the key server 53 at Step S143 shown in FIG. 13,
the leecher 50 is not able to decrypt the pieces that have been
obtained at Step S10 and is therefore not able to use the content.
In this situation, the process returns to Step S5, so that the
leecher 50 obtains encrypted pieces in a sequence that is different
from the sequence obtained at Step S10 and performs the processes
at Step S10 and thereafter again (No at Step S15).
[0077] As explained above, in the case where the one content is
distributed to the plurality of leechers 50 via the P2P network NT,
the key server 53 determines whether the key-rings should be
transmitted by using the sequences of the encrypted pieces. In this
situation, because the key server 53 avoids re-using the sequences
that have already been used, it is possible to individualize the
content for each of the leechers 50. Accordingly, for example, even
if one key-ring is leaked, it is possible to decrypt only the
encrypted content that corresponds to the leaked key-ring. Thus, it
is possible to inhibit illegitimate use of the content. In
addition, by using, instead of a predetermined sequence, the
sequence defined by the encrypted pieces that are arbitrarily
obtained by the leecher 50, it is possible to realize a flexible
content distributing process that is compliant with the environment
of the P2P network NT.
[0078] In the configuration described above, of the obtained
encrypted pieces, the leecher 50 deletes the one or more encrypted
pieces that have each been judged to be an invalid encrypted piece
based on the invalid piece list and obtains the one or more
substitute encrypted pieces. With this arrangement, even if one or
more of the decryption keys used for decrypting the encrypted
pieces have been leaked, it is possible to specify the
corresponding encrypted pieces as invalid encrypted pieces and to
delete the specified encrypted pieces. Thus, it is possible to
inhibit the impact of leakage of the decryption keys. In addition,
by obtaining the one or more substitute encrypted pieces that serve
as substitutes for the invalid encrypted pieces, it is possible to
inhibit the impact on the leecher's use of the contents.
Consequently, it is possible to prevent the user's convenience from
being hampered.
[0079] In the embodiment described above, an arrangement is
acceptable in which the various types of programs executed by the
leecher 50 are stored in a computer connected to a network such as
the Internet so that the programs are provided as being downloaded
via the network. Another arrangement is acceptable in which the
various types of programs are provided as being recorded on a
computer-readable recording medium such as a CD-ROM, a flexible
disk (FD), a Compact Disk Recordable (CD-R), or a Digital Versatile
Disk (DVD), in a file that is in an installable format or in an
executable format. The same applies to the various types of
programs executed by the key server 53.
[0080] In the embodiment described above, in terms of the timing,
the tracker 51 transmits the invalid piece list at the same time as
transmitting the node information; however, the present invention
is not limited to this example. Another arrangement is acceptable
in which the tracker 51 transmits the invalid piece list at an
arbitrary time.
[0081] Also, in the embodiment described above, the invalid piece
list is transmitted to the leecher 50 by the tracker 51; however,
the present invention is not limited to this example. It is
acceptable if the invalid piece list is transmitted to the leecher
50 by a seeder 52 such as the initial seeder 52A. In that
situation, an arrangement is acceptable in which the seeder 52
transmits the invalid piece list, together with the piece
information, to the leecher 50 at Step S6. Another arrangement is
acceptable in which the seeder 52 transmits the invalid piece list
at an arbitrary time.
[0082] In the embodiment described above, after the leecher 50 has
obtained one of the encrypted pieces from the seeder 52, the
leecher 50 judges at Step S9.1 whether the encrypted piece is an
invalid encrypted piece by referring to the invalid piece list;
however, the present invention is not limited to this example.
Another arrangement is acceptable in which, when the leecher 50
requests the one of the encrypted pieces from the seeder 52 at Step
S8, the leecher 50 requests an encrypted piece other than the
invalid encrypted pieces from the seeder 52. More specifically, the
leecher 50 determines an encrypted piece that is an obtainment
candidate by using the piece information obtained at Step S7,
calculates a hash value of the encrypted piece, and judges whether
the calculated hash value is listed in the invalid piece list
obtained at Step S3. In other words, the leecher 50 judges whether
the encrypted piece serving as the obtainment candidate is an
invalid encrypted piece, by referring to the invalid piece list. In
the case where the leecher 50 has judged that the encrypted piece
is not an invalid encrypted piece, the leecher 50 accesses the
seeder 52B and obtains the encrypted piece from the seeder 52B. On
the other hand, in the case where the leecher 50 has judged that
the obtainment candidate encrypted piece is an invalid encrypted
piece, the leecher 50 further judges whether the seeder 52B stores
therein an encrypted piece from which the same piece can be
decrypted as from the obtainment candidate encrypted piece by using
a decryption key that is different from the decryption key used for
decrypting the obtainment candidate encrypted piece. According to
the result of the judging process, the leecher 50 further judges
whether this encrypted piece is an invalid encrypted piece.
According to the result of this judging process, the leecher 50
accesses the seeder 52B and obtains the encrypted piece that is not
an invalid encrypted piece and serves as a substitute.
[0083] With this arrangement also, it is possible to inhibit the
impact of leakage of the decryption keys. In addition, it is
possible to prevent the user's convenience from being hampered.
[0084] In the embodiment described above, in the case where it has
been judged that the leecher 50 is not able to completely receive
the encrypted piece transmitted at Step S9, an arrangement is
acceptable in which the leecher 50 returns to one of the steps
before Step S9 and starts the process all over again. It is judged
that the leecher 50 is not able to completely receive the
transmitted encrypted piece in the case where, for example, the
leecher 50 has received an encrypted piece or a part of a specific
encrypted piece, but the number of times the leecher 50 has
attempted to obtain it and failed to do so has exceeded a
predetermined threshold value, or the period of time that has
elapsed since the start of the obtaining process has exceeded a
predetermined threshold value.
[0085] In the embodiment described above, at Step S8, after the
leecher 50 has judged whether the seeder 52B stores therein the
desired encrypted piece by using the piece information that has
been received by accessing the seeder 52B, the leecher 50 receives
the encrypted piece E(K(1, 1)) [C1] from the seeder 52B. In other
words, the leecher 50 judges whether the seeder 52B stores therein
the encrypted piece corresponding to, for example, "i1=1" among the
encrypted pieces E(K(i1, 1)) [C1] (where i1 is an integer that
satisfies 1.ltoreq.i1.ltoreq.m) obtained by encrypting the piece
C1, and in the case where the result of the judging process is in
the affirmative, the leecher 50 accesses the seeder 52B and
receives the encrypted piece E(K(1, 1)) [C1] from the seeder 52B.
However, another arrangement is acceptable in which the leecher 50
does not specify "i1=1", but obtains, from the seeder 52B, any one
of the encrypted pieces obtained by encrypting the piece C1 with
the plurality of encryption keys. In that situation, the leecher 50
judges whether the encrypted piece obtained from the seeder 52B is
an invalid encrypted piece by referring to the invalid piece list.
In the case where the leecher 50 has judged that the obtained
encrypted piece is an invalid encrypted piece, the leecher 50
deletes the obtained encrypted piece and obtains a substitute
encrypted piece from the seeder 52B.
[0086] With this arrangement also, it is possible to inhibit the
impact of leakage of the decryption keys. In addition, it is
possible to prevent the user's convenience from being hampered.
[0087] In the embodiment described above, during the invalid
encrypted piece deleting process and the substitute encrypted piece
obtaining process performed at Step S9.2, in the case where the
leecher 50 has judged that the obtained encrypted piece is an
invalid encrypted piece, the leecher 50 deletes the encrypted
piece. However, another arrangement is acceptable in which the
leecher 50 determines whether the leecher 50 should delete the
encrypted piece that has been judged to be an invalid encrypted
piece, based on an obtainment status of the encrypted pieces or an
obtainment status of the decryption keys. FIG. 14 is a flowchart of
a procedure in an invalid encrypted piece deleting process and a
substitute encrypted piece obtaining process according to the
present modification example. The content obtaining unit 500
included in the leecher 50 refers to the Torrent File and
calculates an obtainment ratio for the encrypted pieces that have
already been obtained (Step S50). For example, the obtainment ratio
can be calculated in the following manner: The Torrent File
indicates that the content is constituted with the pieces C1 to CN.
By referring to the Torrent File, the content obtaining unit 500 is
able to determine the total number of pieces that constitute the
content. Thus, the content obtaining unit 500 calculates a ratio of
the number of pieces that have been received as encrypted pieces
among the pieces C1 to CN constituting the content to the total
number of pieces C1 to CN (i.e., N in the present example), as the
obtainment ratio.
[0088] Next, the content obtaining unit 500 refers to the
obtainment ratio calculated at Step S50 and judges whether all the
encrypted pieces corresponding to the pieces C1 to CN have been
obtained (Step S51). In the case where the content obtaining unit
500 has judged that all the encrypted pieces have not been obtained
(No at Step S51), the content obtaining unit 500 judges whether the
obtainment ratio calculated at Step S50 is equal to or lower than a
predetermined threshold value (Step S52). In the case where the
obtainment ratio is not equal to or lower than the threshold value
(No at Step S52), the content obtaining unit 500 does not delete
the encrypted piece obtained from the seeder at Step S9.1. On the
contrary, in the case where the obtainment ratio is equal to or
lower than the threshold value (Yes at Step S52), the content
obtaining unit 500 obtains a substitute encrypted piece from which
the same piece can be decrypted as from the encrypted piece
obtained from the seeder 52 at Step S9.1, by using a decryption key
that is different from the decryption key used for decrypting the
encrypted piece obtained at Step S9.1 (Step S53). After that, the
content obtaining unit 500 deletes the encrypted piece obtained
from the seeder 52 at Step S9.1 (Step S54). With this arrangement,
it is possible to apply a restriction so that a substitute
encrypted piece is obtained only when the obtainment ratio for the
encrypted pieces is equal to or lower than the threshold value.
[0089] On the other hand, in the case where the content obtaining
unit 500 has judged at Step S51 that all the encrypted pieces
corresponding to the pieces C1 to CN have been obtained (Yes at
Step S51), the content obtaining unit 500 judges whether the
key-ring obtaining unit 502 has obtained the key-ring containing
the decryption keys used for decrypting the encrypted pieces,
respectively (Step S55). In the case where the content obtaining
unit 500 has judged that the key-ring obtaining unit 502 has not
obtained the key-ring (No at Step S55), the content obtaining unit
500 performs the processes at Step S53 and thereafter. On the
contrary, in the case where the content obtaining unit 500 has
judged that the key-ring obtaining unit 502 has obtained the
key-ring (Yes at Step S55), the content obtaining unit 500 does not
delete the encrypted piece that has been obtained from the seeder
52 at Step S9.1. With this arrangement, in the case where the
key-ring has already been obtained, it is possible to avoid
performing the processes of deleting the specific encrypted piece
that is an invalid encrypted piece and obtaining a substitute
encrypted piece, so that the user's convenience is prioritized.
[0090] In the embodiment described above, the leecher 50 obtains
the encrypted pieces from the seeder 52; however, the present
invention is not limited to this example. Another arrangement is
acceptable in which the leecher 50 obtains the encrypted pieces
from any of the other leechers 50.
[0091] Yet another arrangement is acceptable in which, with respect
to each of the encrypted pieces that respectively correspond to the
pieces C1 to CN, the leecher 50 obtains a plurality of mutually
different encrypted pieces for the piece. For example, with respect
to the piece C1, it is acceptable for the leecher 50 to obtain the
encrypted pieces E(K(i1, 1)) [C1] and E(K(i1', 1)) [C1] (where
i1.noteq.i1', 1.ltoreq.i1.ltoreq.m, and 1.ltoreq.i1'.ltoreq.m are
satisfied). With this arrangement, in the case where the leecher 50
has judged at Step S9.2 that the encrypted piece obtained at Step
S9.1 is an invalid encrypted piece, after the leecher 50 has
deleted the encrypted piece the leecher 50 is able to omit the
substitute encrypted piece obtaining process, if the following
condition is satisfied: a substitute encrypted piece that serves as
a substitute for the deleted encrypted piece has already been
obtained. Further, with this arrangement, when the leecher 50
requests the key-ring from the key server 53, if the sequence
containing the index (i1, 1) has already been used, the leecher 50
is not able to obtain the key-ring corresponding to the sequence,
but if the sequence containing the index (i1', 1) is usable, the
leecher 50 is able to obtain the key-ring corresponding to this
sequence from the key server 53 without having to access the seeder
52 again. With this arrangement in which the leecher 50 obtains the
extra encrypted piece in advance, the leecher 50 is able to prepare
the plurality of sequence candidates in advance. Thus, the leecher
50 is able to avoid the trouble of having to access the seeder 52
again.
[0092] In the embodiment described above, the leecher 50 judges
whether the obtained encrypted piece is an invalid encrypted piece
by referring to the invalid piece list; however, the present
invention is not limited to this example. Another arrangement is
acceptable in which the key server 53 judges whether the encrypted
piece that has been obtained by the leecher 50 is an invalid
encrypted piece. More specifically, for example, during the
comparing process performed at Step S140 in FIG. 13, the sequence
information comparing unit 535 included in the key server 53 judges
whether any of the encrypted pieces decrypted with the decryption
keys contained in the key-ring requested by the leecher 50 is an
invalid encrypted piece. In this situation, for example, the
invalid piece list shows one or more indexes of the one or more
encrypted pieces each of which is specified as an invalid encrypted
piece. The sequence information comparing unit 535 included in the
key server 53 obtains the invalid piece list by receiving it from
the tracker 51 or the seeder 52 or by reading it from a storage
medium according to an operation of a managing person. FIG. 15 is a
flowchart of a procedure in the comparing process according to the
present modification example. The sequence information comparing
unit 535 included in the key server 53 compares the index
information contained in the request message that has been received
at Step S11 in FIG. 12B with the invalid piece list (Step S140-1)
and judges whether any of the indexes included in the sequence
indicated in the index information matches any of the indexes
listed in the invalid piece list (Step S140-2). In the case where
the result of the judging process is in the affirmative, it means
that the encrypted pieces for which the decryption keys have been
requested by the leecher 50 include one or more invalid encrypted
pieces. In that situation (Yes at Step S140-2), the sequence
information comparing unit 535 determines that the key-ring
containing the decryption keys for the encrypted pieces should not
be transmitted, and the process proceeds to Step S144. After that,
in the same manner as described above, the sequence information
comparing unit 535 instructs the key supplying unit 537 that the
transmission of the key-ring to the leecher 50 is prohibited, the
key-ring having been requested in the request message received at
Step S11. On the contrary, in the case where the result of the
judging process at Step S140-2 is in the negative (No at Step
S140-2), that is, in the case where the encrypted pieces for which
the decryption keys have been requested by the leecher 50 include
no invalid encrypted piece, the sequence information comparing unit
535 performs the processes at Step S140 and thereafter in the same
manner as described above so as to determine whether the key-ring
should be transmitted according to the result of the sequence
comparing process and to transmit the key-ring to the leecher 50
according to the result of the determining process.
[0093] With this arrangement, it is possible to inhibit the impact
of leakage of the decryption keys, without increasing the
processing load on the leecher 50.
[0094] In the case where the encrypted pieces for which the
decryption keys have been requested by the leecher 50 include no
invalid encrypted piece, another arrangement is acceptable in which
the sequence information comparing unit 535 does not perform the
processes at Steps S140 through S141, but instructs the key
supplying unit 537 to transmit the key-ring to the leecher 50, the
key-ring having been requested in the request message received at
Step S11. In other words, an arrangement is acceptable in which, in
the case where none of the encrypted pieces obtained by the leecher
50 is an invalid encrypted piece, the key server 53 transmits, to
the leecher 50, the key-ring requested by the leecher 50 in the
request message.
[0095] In the description above, in the case where it has been
judged at Step S140-2 that the encrypted pieces for which the
decryption keys have been requested by the leecher 50 include one
or more invalid encrypted pieces, the key server 53 does not
transmit the key-ring containing the decryption keys to the leecher
50; however, the present invention is not limited to this example.
Another arrangement is acceptable in which the key server 53
transmits, to the leecher 50, a substitute encrypted piece
(hereinafter, a "valid encrypted piece") that serves as a
substitute for the invalid encrypted piece and a key-ring
containing the decryption key for decrypting the valid encrypted
piece. In that situation, it is assumed that, like the initial
seeder 52A, the key server 53 stores therein, for each of the
encrypted pieces that respectively correspond to the pieces
constituting the content, all of the encrypted pieces that have
been generated by encrypting the piece by using a plurality of
encryption keys per piece. In the case where the result of the
judging process performed at Step S140-2 is in the affirmative, the
key server 53 generates another sequence {(i1', 1), (i2, 2), . . .
, (iN, N)} that contains no indexes of the invalid encrypted pieces
and that has not been stored in the sequence information storage
unit 536. In other words, the key server 53 determines the
decryption key used for decrypting the substitute encrypted piece
from which the same piece can be decrypted as from the invalid
encrypted piece, by using a decryption key that is different from
the decryption key used for decrypting the invalid encrypted piece.
The key server 53 further determines the sequence that shows a
combination of indexes including the index of the determined
decryption key and that has not been stored in the sequence
information storage unit 536. Subsequently, the key server 53
transmits the index (i.e., (i1', 1) in the present example) to the
leecher 50, as replacement index information, together with the
valid encrypted piece (e.g., E(K(i1', 1)) [C1]). In addition, the
key server 53 transmits a key-ring containing the decryption keys
that correspond to the sequence {(i1', 1), (i2, 2), . . . , (iN,
N)} to the leecher 50.
[0096] With this arrangement, it is possible to inhibit the impact
of leakage of the decryption keys, without increasing the
processing load on the leecher 50. Further, because the key server
53 transmits, to the leecher 50, the valid encrypted piece and the
key-ring containing the decryption key used for decrypting the
valid encrypted piece, the leecher 50 is able to avoid the trouble
of having to access the seeder 52 and the key server 53 again.
[0097] The indexes indicated in the replacement index information
are not limited to the example described above, as long as the
replacement index information is able to specify the decryption key
used for decrypting the substitute encrypted piece from which the
same piece can be decrypted as from the encrypted piece specified
as an invalid encrypted piece in the invalid piece list, by using a
decryption key that is different from the decryption key used for
decrypting the encrypted piece specified as an invalid encrypted
piece.
[0098] In the embodiment described above, the leecher 50 judges
whether the obtained encrypted piece is an invalid encrypted piece,
by referring to the invalid piece list; however, the present
invention is not limited to this example. Another arrangement is
acceptable in which the seeder 52 refers to the invalid piece list
and does not transmit, to the leecher 50, any of the encrypted
pieces each of which is an invalid encrypted piece. With this
arrangement, it is possible to inhibit the impact of leakage of the
decryption keys, without increasing the processing load on the
leecher 50.
[0099] In the embodiment described above, in the case where the
leecher 50 has judged that the encrypted piece obtained from the
seeder 52 is an invalid encrypted piece, after the leecher 50 has
deleted the encrypted piece, the leecher 50 obtains the substitute
encrypted piece; however, another arrangement is acceptable in
which the leecher 50 does not obtain the substitute encrypted
piece. With this arrangement, in the case where there is an invalid
encrypted piece with respect to at least one of the pieces that
constitute the content, it is possible to inhibit the use of the
content itself. Thus, it is possible to inhibit the impact of
leakage of the decryption keys more effectively.
[0100] In the embodiment described above, with regard to the
encrypted pieces shown in FIG. 4, of the N pieces, each of as many
pieces as "a" (where 1<a<N) is encrypted by using the
plurality of mutually different encryption keys per piece. However,
another arrangement is acceptable in which each of the pieces is
encrypted by using only one encryption key per piece. In other
words, another arrangement is acceptable in which there is only one
encrypted piece for each of the pieces.
[0101] Additional advantages and modifications will readily occur
to those skilled in the art. Therefore, the invention in its
broader aspects is not limited to the specific details and
representative embodiments shown and described herein. Accordingly,
various modifications may be made without departing from the spirit
or scope of the general inventive concept as defined by the
appended claims and their equivalents.
* * * * *